The Problem With Apple Pay And Samsung Pay Isn't The Tech, It's The Banks

With the launch of Samsung Pay at Mobile World Congress 2015 - and with the Apple Watch just around the corner - the chatter around mobile payments has transformed into arguably the biggest story in tech. And it's not necessarily a positive story.

Apple Pay, launched in the US in September 2014, is becoming increasingly linked to fears, or real instances of credit card fraud in the US, and there's as much worry about this new model of paying for stuff as there is excitement.

But Cherian Abraham, a payments expert who has been consulting with banks on how to protect themselves, doesn't blame Apple for the problems ahead -- or Samsung, Google or PayPal.

He blames the banks.

Services like Apple Pay and Samsung Pay perhaps 'feel' instinctively less secure, because -- as when cards were first introduced -- they are somehow less 'physical' or 'real' than their antecedents. But in fact, both are inherently more secure than traditional payment types when used properly.

The core concept behind Apple Pay is that it lets you use an NFC 'ghost' of your credit card, but never retains your bank card details. Instead it turns your card details into a Device Account Number on a dedicated secure chip. When the time comes to pay, the TouchID sensor authenticates the purchase and opens up the chip, the chip then scrambles the number, packages it up and sends it over to the terminal. Finally the terminal receives the package, unscrambles it and then processes the payment.

It's a process called 'tokenisation' and it's proving to be a real lifesaver for mobile payments because it means your card details are never actually stored on the device or in the cloud. Samsung Pay also uses tokenisation.

"The way that Apple has done it is a good compromise," said Silent Circle Chief Technical Officer Jon Callas. "What they’re really doing is that they are extending the life of your pin code."

So if the technology itself are secure, then where is the weak link?

As more reports are starting to confirm the problem looks like it lies with the banks. In their haste to get customers to sign up to Apple Pay, Abraham is worried that banks simply aren't putting up enough barriers, instead making it easier for customers to add their (or someone else's) cards.

The key process you'll go through when you add a card to Apple Pay is called 'Yellow Path' authentication. That term describes the layer of security which, for instance, requires you to enter a code via SMS when you want to move money, or the code that appears in your bank's mobile app. It's practically part and parcel of banking here, but in the US Abraham reports that banks are reportedly far slower to adopt it. Instead they use a variety of methods which have their own flaws. It's by cracking, spoofing or just humiliating this part of the Apple Pay process that criminals are getting their claws in.

"Today, depending on your card issuer – you could expect much variance – such as being directed to their call center, being asked to authenticate via the bank’s mobile app, or an entirely other 2FA verification. As one can expect – each has varying levels of success and friction – with just a couple of banks opting to authenticate via their mobile apps, that would have provided a far easier and customer friendly provisioning experience."

Arguably, by launching in the US Apple should have seen this coming. The US is not a major contactless market. It's not even close. According to Juniper Research's Dr Windsor Holden there were an estimated 40 million contactless (card and phone) payments in the US for the whole of 2014. The UK saw 46.1 million contactless transactions in December 2014 alone.

This means there are nearly 12 times more contactless payments in the UK than there are in the US. Why? Because in the US, cards are still the easiest and most convenient way to pay. As Callas points out, there's also little incentive for the banks or the consumer to switch over.

"In the US ... we have the strongest credit card consumer protection laws in the world, so Americans just basically don’t care because we’re protected no matter what we do with a credit card."

"Whereas in Europe and the UK the banks and payment industry have tried to push the liability onto the user, using chip and pin. So for those of us who are the consumers, I mean the irony is that everybody uses credit cards all the time in the United States because why not, it is safer than cash."

So how can the tech giants overcome this hurdle? Mastercard's President of International Markets Ann Cairns points out that as well as working with and supporting to the new tech giants, the key is making sure even the 'old institutions' like the banks are being brought along into the new world.

"We’ll say to banks ‘we can actually provide you with our security tools, our fraud tracking and so on, you can use some of your own, we can combine them’. It’s a product as well as a protective mechanism."

MasterCard isn't just going outside of its remit with the banks either as Rose Beaumont Group Head of Communications for MasterCard Europe points out.

"I think it’s worth mentioning [that] as well as partnering with the banks, one of the things we’ve noticed on the back of Home Depot/Target, is actually where the data was the most insecure was at the merchants point of sale. So off the back of that, they came to us."

But what their reaction shows too is that while fraud is still a problem, the solution is not new forms of payment hardware: it's actually the bedrock of our financial infrastructure. And while the UK would appear to be far more prepared for this exploring new frontier than the US, we too need to pay attention to the little things before the whole edifice comes crumbling down.